shm: fix null pointer deref when userspace specifies invalid hugepage size

[~andy/linux] / ipc / shm.c

diff --git a/ipc/shm.c b/ipc/shm.c
index cb858df061d37185cf96b7dadd6fe8d5d3e2b869..7e199fa1960f86087c557bcc39b08d304c2b8f7b 100644 (file)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -462,7 +462,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
        size_t size = params->u.size;
        int error;
        struct shmid_kernel *shp;
-       int numpages = (size + PAGE_SIZE -1) >> PAGE_SHIFT;
+       size_t numpages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
        struct file * file;
        char name[13];
        int id;
@@ -491,10 +491,20 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
 
        sprintf (name, "SYSV%08x", key);
        if (shmflg & SHM_HUGETLB) {
+               struct hstate *hs = hstate_sizelog((shmflg >> SHM_HUGE_SHIFT)
+                                               & SHM_HUGE_MASK);
+               size_t hugesize;
+
+               if (!hs) {
+                       error = -EINVAL;
+                       goto no_file;
+               }
+               hugesize = ALIGN(size, huge_page_size(hs));
+
                /* hugetlb_file_setup applies strict accounting */
                if (shmflg & SHM_NORESERVE)
                        acctflag = VM_NORESERVE;
-               file = hugetlb_file_setup(name, 0, size, acctflag,
+               file = hugetlb_file_setup(name, hugesize, acctflag,
                                  &shp->mlock_user, HUGETLB_SHMFS_INODE,
                                (shmflg >> SHM_HUGE_SHIFT) & SHM_HUGE_MASK);
        } else {